Not responding would make the client susceptible to spoofing, and named have no way of deciding whether the other side is legitimate or not. The out-of-configure-zone question could come from misconfiguration somewhere and not be malicious at all.
Ondrej -- Ondřej Surý (He/Him) ond...@isc.org > On 15. 12. 2021, at 14:33, Andrew P. <andrew...@hotmail.com> wrote: > > So why isn't there a way to tell BIND not to respond to queries for which it > clearly is not authoritative (such as these attack vectors)? Since no > legitimate resolver would be asking a non-authoritative server for > information, why should his (or my) public BIND server respond to these even > with an error message? > > > > ________________________________________ > From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Ondřej Surý > <ond...@isc.org> > Sent: Wednesday, December 15, 2021 7:18 AM > To: Danilo Godec > Cc: bind-users@lists.isc.org > Subject: Re: Millions of './ANY/IN' queries denied > >> Would I be doing a bad thing by using fail2ban to block these IPs? > > That’s the question that only you can answer. The IP addresses are > not attacker’s but victim’s and you would be punishing those networks > by blocking access from them to your network. > > Do you absolutely know that these IP addresses doesn’t need access > to your DNS? If yes, then go ahead. > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org > >> On 15. 12. 2021, at 12:51, Danilo Godec via bind-users >> <bind-users@lists.isc.org> wrote: >> >> Hello, >> >> >> I'm noticing some unusual activity where 48 external IPs generated over >> 2M queries that have all been denied (just today): >> >> 15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0 >> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied >> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20 >> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied >> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20 >> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied >> 15-Dec-2021 00:01:42.023 security: info: client @0x7f9618019e20 >> 194.48.217.14#59698 (.): view outside: query (cache) './ANY/IN' denied >> 15-Dec-2021 00:01:42.123 security: info: client @0x7f9618019e20 >> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied >> 15-Dec-2021 00:01:42.127 security: info: client @0x7f96180b3fe0 >> 45.145.227.33#11092 (.): view outside: query (cache) './ANY/IN' denied >> >> >> I'm guessing this is some sort of an reflection attack attempt, but I >> don't quite understand if these are the perpetrators or victims? >> >> Would I be doing a bad thing by using fail2ban to block these IPs? >> >> >> Regards, >> >> Danilo >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
